alert ip any any -> any any (msg:"Block IP for 5 minutes"; sid:1000001;)
alert tcp any any -> $HOME_NET any (msg:"Port scan detected, blocking for 5 minutes"; threshold: type threshold, track by_src, count 5, seconds 60; sid:1000002;)